Buuctf crackme personal gains and Solutions
Summer man 2021-06-04 09:55:39

This question took me nearly two days , In the meantime, because of watching wp I can't understand it at all. I'm crazy to ask for advice , Finally, I debugged it myself . It's not easy , And I really learned a lot , Record here .

Open the program first , The program asks us to enter a user name and password , understand .

throw sth. into ida

Enter the main function wmain

Change the name of the function to a word that you can understand

From here while And the innermost one break You know , To jump out of the loop , These two if All have to be satisfied

First, let's analyze the first if, Click in sub_401830 And start analyzing

Because of this if To establish , So this return The following expression must be true , And v14==43924 establish , We're going back here （ Literally ）

There's a lot going on here if Judge , According to experience, we can put if The following numbers press r Convert to character , Here we guess if When all are satisfied, the result is just equal to 43924（ I can't figure out if I don't guess , All analysis .. It's scary to think about ）

You can write a python The script validates our guess

Why , The answer is not 43924, Why is that （ Stick reading ）

Turned out to be

There are two options for this place , I chose the one above .

After changing to the one below

perfect . The resulting v17 by "dbappsec"

ok, Continue to push back

The first time I did this, I analyzed them for a long time , I don't know what this is , After checking on the Internet, it is found that it is an anti debugging function , I don't care .

Because we've got v17, At the same time, the user name also knows that it is welcomebeijing, At the beginning, it was said that the user name should be entered when the program was started . So we can use ollydbg The method of dynamic debugging comes to byte_416050 Value

Drag in ollydbg, After calculating the dynamic migration , Execution procedure

enter one user name welcomebeijing

Now we stop , find ida Of

The upper one xor eax,ecx That's the key step , Symbolize

XOR here , And from the assembly code above, we can see the movzx   ecx, [ebp+var_209] Yes, it will byte_416050 The value of the ecx, Here ecx The value of is what we want to know ！

thus , We got ideas , stay xor Bottom breakpoint , Stop the program at each run time xor The previous order of , It's easy for us to know ecx Value .

And then back to the program , Just type in a password （ It's going to end up there anyway

Did you see? ,ecx Value .

because while（v6<8）, So it's implemented 8 Time , Here we continue f9 perform , And record every time ecx Value . obtain ecx, namely byte_416050 The stored value of 0x2a,0xd7,0x92,0xe9,0x53,0xe2,0xc4,0xcd

And then continue to push back

（ My expression may be a little strange , Let's make a little understanding

The next one if It doesn't matter , You can write code directly

Throw this string of characters on the Internet md5 Decrypt online , obtain flag{d2be2981b84f2a905669995873d6a36c}

I feel like I don't know anything when I do it , But after finishing, I found that I basically understood this problem , Still very happy

Sentiment ：

.

..

Love is so cute

（ Unconscious praise